US9081985B1 - System and method for operating a computing device in a secure mode - Google Patents

System and method for operating a computing device in a secure mode Download PDF

Info

Publication number
US9081985B1
US9081985B1 US14/190,634 US201414190634A US9081985B1 US 9081985 B1 US9081985 B1 US 9081985B1 US 201414190634 A US201414190634 A US 201414190634A US 9081985 B1 US9081985 B1 US 9081985B1
Authority
US
United States
Prior art keywords
computing device
operating
operating mode
processors
secure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US14/190,634
Inventor
Nayer Naguib
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Google LLC
Original Assignee
Google LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Google LLC filed Critical Google LLC
Priority to US14/190,634 priority Critical patent/US9081985B1/en
Assigned to GOOGLE INC. reassignment GOOGLE INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: NAGUIB, NAYER
Application granted granted Critical
Publication of US9081985B1 publication Critical patent/US9081985B1/en
Assigned to GOOGLE LLC reassignment GOOGLE LLC CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: GOOGLE INC.
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot

Definitions

  • the invention relates generally to a secure operating mode of a computer device and, more particularly, to a secure operating mode of a computing device for executing security-critical Internet applications and preventing interception of user-provided information.
  • Internet based services require a high degree of security. Examples include Internet banking, electronic interaction with government services, and documents or files that are provided with a legally binding digital signature.
  • Typical computing environments may not be secure enough to prevent a user from being exposed to different types of attacks that seek to capture user-provided information and to use the captured information to process fraudulent transactions.
  • Unscrupulous third parties may capture user-provided information in different ways.
  • a keylogger program may be installed on the user's computer to capture information entered using a keyboard.
  • the keylogger program may be installed by exploiting operating system vulnerabilities or by deceiving the user to execute malicious software.
  • the user may be transported to a website where user-provided information may be captured.
  • a computer display may be manipulated to deceive the user into signing a fraudulent transaction using a legally-binding digital signature.
  • Malicious software is under continuous development, and may be tailored to target a limited set of users in which case the malicious software may not be identified even by up-to-date anti-virus and internet security software.
  • a computing system may be infected without the user installing any software, as in the case of browser vulnerabilities which allow remote code execution.
  • an external smart card reader is connected to the computer to download transaction details.
  • the user may view the transaction details on the reader's display, insert a smart card that contains a private key into the reader, and enter a personal identification number (PIN) in order to sign the transaction.
  • PIN personal identification number
  • the smart card reader may prevent capture of the PIN and the reader's firmware may not be manipulated by the computer since the reader only downloads transaction data from the computer. In other words, executable instructions are not downloaded to the reader.
  • the requirement of an additional smart card reader increases costs and the use of smart cards is inconvenient.
  • aspects of the invention provide a user with the ability to select a secure operating mode of a computing device before the operating system of the computing device is booted.
  • computer hardware Before receiving selection of the secure operating mode, computer hardware is initialized to verify a bootloader of an operating system to guarantee that the bootloader is not patched. Then, in response to receiving selection of the secure operating mode, the bootloader verifies the operating system kernel.
  • the kernel then verifies operating-system level executable files.
  • the files that are verified may be limited to the files to be loaded into memory. After verification, at least some of the verified files are loaded into a portion of the memory that is identified by the kernel as read-only. These files are executed to provide a basic Internet browser session; all other files are identified by the kernel as non-executable.
  • the information may be stored in memory at the computing device as part of the data related to the browser process. The memory, however, is cleared when the user session ends.
  • a method of providing a secure operating mode of a computing device comprises verifying the integrity of a bootloader.
  • a user of the computing device is then provided with an option to select a normal operating mode or a secure operating mode.
  • other components of the computing device are verified.
  • the components that are verified include an operating system kernel file, and operating-system level executable files to be executed in the secure operating mode.
  • the verified files are executed to communicate with a server and conduct a transaction. Information input to the computing device during the transaction is not persisted in a file system of the computing device and cannot be tracked after the user session ends.
  • a system for providing a secure operating mode of a computing device comprises a storage means and a processor logically coupled to the storage means.
  • the storage means stores a bootloader, an operating system kernel and executable files to enable the computing device to communicate over a network.
  • the processor uses read-only firmware to verify the bootloader.
  • the processor is also operable to receive a selection to operate the computing device in a secure operating mode.
  • the processor is additionally operable to verify the operating system kernel and a set of the files to be executed in the secure operating mode.
  • the processor is further operable to execute at least some of the verified files while communicating over the network and conducting a transaction. Information input to the computing device during the transaction is not persisted in the storage means and cannot be tracked after the user session ends.
  • FIG. 1 illustrates a system in accordance with aspects of the invention.
  • FIG. 2 illustrates aspects of the system of FIG. 1 .
  • FIGS. 3A-B illustrate a system and method for operating a computing device in a secure mode to prevent interception of user-provided data in accordance with aspects of the invention.
  • aspects of the invention provide systems and methods for providing a user with an option to select a normal operating mode or a secure operating mode of a computing device.
  • boot firmware verifies a bootloader of an operating system.
  • the bootloader verifies the operating system kernel.
  • the kernel verifies operating-system level executable files (e.g., device drivers).
  • a limited set of the executable files are loaded into a portion of the memory that is identified by the kernel as read-only memory. These read-only files are executed to provide a basic Internet browser session; all other files are identified as non-executable.
  • the same operating system kernel can be used for both normal and secure modes.
  • the bootloader or BIOS
  • BIOS passes a parameter to the kernel to specify whether to boot in normal mode or in secure mode based on user selection.
  • Most modern operating system kernels can accept parameters that specify different modes of operation. Accordingly, it is unnecessary to install two separate operating systems (or different subsets of operating system files, such as different kernels, drivers, etc.)
  • FIG. 1 presents a schematic diagram of a computer system depicting various computing devices that can be used alone or in a networked configuration in accordance with aspects of the invention.
  • this figure illustrates a computer network 100 having a plurality of computers 102 , 104 , 106 and 108 as well as other types of devices such as portable electronic devices such as a mobile phone 110 and a PDA 112 .
  • Such devices may be interconnected via a local or direct connection 114 and/or may be coupled via a communications network 116 such as a LAN, WAN, the Internet, etc. and which may be wired or wireless.
  • Each device may include, for example, one or more processing devices and have user inputs such as a keyboard 118 and mouse 120 and/or various other types of input devices such as pen-inputs, joysticks, buttons, touch screens, etc., as well as a display 122 , which could include, for instance, a CRT, LCD, plasma screen monitor, TV, projector, etc.
  • Each computer 102 , 104 , 106 and 108 may be a personal computer, server, etc.
  • computers 102 and 106 may be personal computers while computer 104 may be a server and computer 108 may be a laptop.
  • each computer such as computers 102 and 104 contains a processor 124 , memory/storage 126 and other components typically present in a computer.
  • memory/storage 126 stores information accessible by processor 124 , including instructions 128 that may be executed by the processor 124 and data 130 that may be retrieved, manipulated or stored by the processor.
  • the memory/storage 126 may be of any type or any device capable of storing information accessible by the processor, such as a hard-drive, ROM, RAM, CD-ROM, flash memories, write-capable or read-only memories.
  • the processor 124 may comprise any number of well known processors, such as processors from Intel Corporation. Alternatively, the processor may be a dedicated controller for executing operations, such as an ASIC.
  • the instructions 128 may comprise any set of instructions to be executed directly (such as machine code) or indirectly (such as scripts) by the processor(s).
  • the terms “instructions,” “steps” and “programs” may be used interchangeably herein.
  • the instructions may be stored in any computer language or format, such as in object code or modules of source code.
  • the instructions 128 on the computer 102 may include a bootloader 132 , an operating system kernel 134 and executable files 136 .
  • the bootloader 132 loads and executes the operating system kernel 134 .
  • the operating system kernel 134 continues startup procedures for the computer 102 by linking application software (e.g., executable files 136 ) and the computer hardware (e.g., processor 124 , display 122 , keyboard 118 , and mouse 120 ).
  • application software e.g., executable files 136
  • the computer hardware e.g., processor 124 , display 122 , keyboard 118 , and mouse 120 .
  • Data 130 may be retrieved, stored or modified by processor 124 in accordance with the instructions 128 .
  • the data may be stored as a collection of data.
  • the data may also be formatted in any computer readable format such as, but not limited to, binary values, ASCII or Unicode.
  • the data may include images stored in a variety of formats such as vector-based images or bitmap images using lossless (e.g., PNG) or lossy (e.g., JPEG) encoding.
  • the data may include any information sufficient to identify the relevant information, such as descriptive text, proprietary codes, pointers, references to data stored in other memories (including other network locations) or information which is used by a function to calculate the relevant data.
  • the data 130 stored on computer 102 may comprise information regarding the minimum set of executable files 136 that are required to provide a user with a basic Internet browser session.
  • the data 130 on computer 104 may also include a list of specific websites 140 that are identified as secure (e.g., an “authorized website list”).
  • processors 124 and memory 126 are functionally illustrated in FIG. 2 as being within the same block, it will be understood that the processor and memory may actually comprise multiple processors and memories that may or may not be stored within the same physical housing or location. For example, some or all of the instructions and data may be stored on a removable CD-ROM and others within a read-only computer chip. Some or all of the instructions and data may be stored in a location physically remote from, yet still accessible by, the processor. Similarly, the processor may actually comprise a collection of processors which may or may not operate in parallel. Data may be distributed and stored across multiple memories 126 such as hard drives or the like.
  • server 104 may communicate with one or more client computers 102 , 106 and/or 108 , as well as devices such as mobile phone 110 and PDA 112 .
  • Each client computer or other client device may be configured similarly to the server 104 , with a processor, memory and instructions, as well as one or more user input devices 118 , 120 and a user output device, such as display 122 .
  • Each client computer may be a general purpose computer, intended for use by a person, having all the components normally found in a personal computer such as a central processing unit (“CPU”), display, CD-ROM or DVD drive, hard-drive, mouse, keyboard, touch-sensitive screen, speakers, microphone, modem and/or router (telephone, cable or otherwise) and all of the components used for connecting these elements to one another.
  • CPU central processing unit
  • display CD-ROM or DVD drive
  • hard-drive keyboard
  • keyboard keyboard
  • touch-sensitive screen keyboard
  • speakers microphone
  • modem and/or router telephone, cable or otherwise
  • the server 104 and user computers and other devices are capable of direct and indirect communication with other computers, such as over network 116 .
  • network 116 may comprise various configurations and protocols including the Internet, intranets, virtual private networks, wide area networks, local networks, private networks using communication protocols proprietary to one or more companies, Ethernet, WiFi, Bluetooth or TCP/IP.
  • Communication across the network 116 may be facilitated by any device capable of transmitting data to and from other computers, such as modems (e.g., dial-up or cable), network interfaces and wireless interfaces.
  • Server 104 may be a web server. Although certain advantages are obtained when information is transmitted or received as noted above, other aspects of the invention are not limited to any particular manner of transmission of information. For example, in some aspects, the information may be sent via a medium such as a disk, tape, CD-ROM, or directly between two computer systems via a dial-up modem.
  • computers and user devices in accordance with the systems and methods described herein may comprise any device capable of processing instructions and transmitting data to and from other computers, including network computers lacking local storage capability, PDA's with modems such as PDA 112 and Internet-capable wireless phones such as mobile phone 110 .
  • the network 100 may also include an authorization entity 142 , which may be directly or indirectly coupled to server 104 .
  • the authorization entity 140 may be part of or otherwise logically associated with the server 104 .
  • the computer 102 When the computer 102 is first powered on, the computer 102 does not have an operating system stored in ROM or RAM.
  • the bootloader 132 executes a program stored in memory 126 to load the operating system kernel 134 .
  • the bootloader 132 also loads the minimum amount of data needed by the kernel 134 to access other portions of memory 126 from which the executable files 136 and data are loaded.
  • FIG. 2 Only one bootloader 132 is shown in FIG. 2 , one having ordinary skill in the art would appreciate that multiple stage bootloaders may be used to sequentially load and process several programs to boot the computer 102 .
  • the kernel 134 provides a bridge between application software and the data processing that is performed at the hardware level.
  • the kernel 134 manages system resources by communicating between hardware and software components of the computer.
  • the authorization entity 140 and the sever 104 may comprise an authorization server.
  • the authorization entity 140 is operable to identify specific web sites as secure. This may be accomplished by performing a verification process and maintaining a list of the web sites that are identified as being authorized.
  • the authorized web sites may be accessed by the computer 102 during a secure operating mode such that any information provided by a user while interacting with an authorized web site cannot be intercepted by third parties.
  • a computing device operating in the secure mode may communicate over a network to access any object identified by a uniform resource indicator (URI) or uniform resource locator (URL).
  • URI uniform resource indicator
  • URL uniform resource locator
  • the computing device operating in the secure mode may access an object from any network location such as from an FTP server or a storage area network (SAN).
  • SAN storage area network
  • a user wants to process a security-critical banking transaction, such as a money transfer using a debit account.
  • the user chooses to boot a computing device in the secure operating mode.
  • the secure operating mode the bootloader and the kernel are verified and only the executable files that are necessary to provide a basic Internet browsing session are loaded into ROM.
  • the operating system executes on the computing device using a minimum amount of components.
  • the user may then select a bank web site from a list of authorized web sites displayed by the browser (assuming that the bank has already registered with an authorization entity such that the bank web site has already been added to the list of authorized web sites).
  • the web site is then launched, and the user provides confidential information (e.g., username, password, PIN, etc.) in order to successfully login to the web site.
  • the user may then initiate the desired transaction, provide all the necessary details and confirm the transaction. Since the executable files are operating as read-only, the information provided by the user is temporarily stored in volatile memory that is marked as non-executable by the kernel until the user session ends. However, the user data is not written to permanent storage such that the information cannot be accessed by unauthorized parties.
  • the user may then log off from the bank web site and reboot the computing device to begin another browsing session in normal operating mode.
  • FIGS. 3A-B One embodiment of the invention is shown in FIGS. 3A-B where a user may choose to boot a computing device in a secure operating mode to prevent unauthorized parties from intercepting information provided to a web site during a transaction.
  • FIG. 3A illustrates general aspects of system interaction between a client and a server.
  • FIG. 3B illustrates a flow diagram showing a computer process for conducting an Internet transaction in a secure operating mode. The actions shown in FIG. 3A will be discussed below with regard to the flow diagram in FIG. 3B .
  • operation of a computing device 122 is initiated in response to receiving power.
  • Hardware of the computing device e.g., system BIOS
  • boot options are provided by the verified and electronically signed bootloader such that the boot options need not be coded in read-only firmware.
  • the verified bootloader causes a prompt 144 to appear on a display 122 of the computing device 102 , as shown in operation 202 .
  • the prompt 144 provides a user with an option to boot the computing device 102 in a normal operation mode or a secure operation mode.
  • the computer hardware activates a bootloader to load and execute the operating system kernel of the computing device 102 .
  • the kernel initiates startup procedures of the computing device 102 including any executable files required to initialize device procedures. Accordingly, all system drivers, processes, installed browser extensions, etc. are loaded into memory 126 , including both ROM and RAM as appropriate. The computing device is thereby enabled to access any available web site.
  • the user may select to execute the computing device 102 in the secure operating mode in the event that the user intends to conduct a transaction at a web site that may require the user to provide confidential data (e.g., username/password combinations, financial or medical information, documents secured with an electronic signature, etc.).
  • confidential data e.g., username/password combinations, financial or medical information, documents secured with an electronic signature, etc.
  • the secure operating mode the user is provided with a limited computing environment in which to browse the Internet or other public or private network.
  • the computing device 102 receives the user selection to operate the computing device 102 in a secure mode.
  • the computer hardware that is activated at power-up initiates verification of the components that will be loaded to read-only memory during the secure operating mode, as shown in operation 206 .
  • the verified bootloader verifies the operating system kernel, which in turn verifies executable files (e.g., device drivers) that are necessary to provide the user with a basic browsing session.
  • the verification process may be performed using known security techniques including the use of a public key to validate the digital signature of each component to be verified.
  • the computer hardware that is activated at power-up executes a verification application to obtain a unique checksum associated with the component to be verified.
  • the verification application may be an applet or executable code which performs a cryptographic process on the component to arrive at the unique checksum.
  • the checksum should be cryptographically secure to prevent tampering. Any number of cryptographic algorithms or hashing functions may be used by the verification application to achieve these goals. For instance, the SHA-2 family of hash functions may be employed.
  • the checksums generated by the verification application may or may not be of fixed length. In an alternative, the verification application may be used on multiple components.
  • a digital signature such as a user's encryption key is applied to the checksum to “sign” the checksum.
  • the generated checksums may be compared to signed checksums that are attached to each component to be verified. To perform the comparison, the signed checksums may be decrypted using a stored public key (e.g., a key associated with the authorization entity 142 ). The resulting checksum may then be compared to the checksum generated by the verification application.
  • a limited set of executable files is loaded into a part of memory 126 that is identified as read-only by the kernel.
  • the loaded executable files constitute the minimum amount required to communicate with a server and provide the user with a basic browsing session to conduct a transaction.
  • no third-party system components are loaded in memory 126 (e.g., browser extensions, audio/graphics/chipset drivers, etc.).
  • the remainder of executable files stored in memory 126 is marked as “non-executable” by the kernel.
  • a visual indicator 146 may be displayed on the display 122 of the computing device 102 to inform the user that the computing device 102 is operating in the secure mode.
  • the visual indicator 146 may be an icon that symbolizes a secure mode (e.g., a lock) or the visual indicator 146 may be text.
  • the computing device 102 is configured such the visual indicator 146 cannot be rendered during the normal operating mode in order to prevent a third party from deceiving the user into believing that he is browsing the Internet in the secure operating mode.
  • a graphics engine may prevent the visual indicator 146 from being displayed during the normal operating mode.
  • the user may initiate a browser session.
  • the user is only permitted to access web sites that are recognized by the authorization entity as being secure (e.g., websites 148 ).
  • the computing device 102 may be configured to operate in the secure mode to access only SSL-enabled web sites, and all browser communication with these websites is SSL-encrypted.
  • specific web sites or services register with the authorization entity 142 to allow user access in secure mode, and the authorization entity 142 verifies the certificates of the registered web sites or services. A list of the web sites/certificates is signed by the authorization entity 142 .
  • the computing device 102 may access the approved web sites or services via the authorization entity 142 .
  • the list of allowed web sites or services can be downloaded from the authorization entity 142 or checked for updates while operating in secure mode. The user may then view the list, search for a specific web site using different criteria (e.g., category, name, region, etc. . . . ), and select a web site to visit.
  • the registration process could be performed by providing the authorization entity 142 with a certificate signed by a trusted third-party.
  • the authorization entity 142 then signs the certificate and includes the signed certificate in a list of secure web sites.
  • the authorization entity 142 performs manual authorization to verify that the web site requesting registration is owned by the organization it claims to belong to.
  • the certificates that would be retrieved by a client from the authorization entity 142 should contain sufficient information for the client to be able to locate and access the desired service without relying on any additional step to resolve a service provider's address. For example, it would not be sufficient for the certificate to contain merely the service provider name and the web site domain name, as the client would then still need to query a DNS server for the IP address of the web site. Such an additional step may expose the client to DNS spoofing attacks. Instead, the certificate should include the service provider name, the web site domain and an IP address all signed by the authorization entity 142 . In addition, all traffic between the user and the remote service (whether or not HTTP traffic) should be encrypted. Accordingly, the user would not be vulnerable to network sniffing attacks that seek to capture the user's confidential information.
  • the files that enable the computing device 102 to interact with the web site and conduct the transaction are executed in read-only mode. Accordingly, any information that a user provides to the web site during the transaction is not stored locally on the computing device 102 .
  • the user-provided information is transient data because the data is created within an application session. At the end of the session, the data is discarded without being stored.
  • information provided by the user cannot be intercepted by any third party because no information is stored on the computing device 102 during the browser session. Accordingly, the user is provided with a secure terminal for security-critical services without exposing the user to security threats that would exist otherwise.
  • the user may conduct another security-critical transaction at the same web site or at another authorized web site.
  • the user may reboot the computing device 102 to operate in the normal mode, as shown in operation 214 , to enable the computing device 102 to access any available web site including web sites that the authorization entity 142 does not recognize as authorized (e.g., websites 150 ).

Abstract

A computing device operates in a secure operating mode in response to user selection. Computer hardware is initialized to verify a bootloader of an operating system, and the bootloader verifies the operating system kernel. The kernel then verifies operating-system level executable files. After verification, a limited set of the verified files is loaded into a portion of the memory that is subsequently marked by the kernel as read-only. These files are executed to provide a basic Internet browser session; all other files are identified as non-executable. When the user accesses an authorized website and conducts a transaction that requires a user to provide information, the information is encrypted during transmission of the network. In addition, such information cannot be accessed by other parties since the information provided is not persisted at the computing device.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
The present application is a continuation of U.S. patent application Ser. No. 12/827,330, filed Jun. 30, 2010, the disclosure of which is incorporated herein by reference.
BACKGROUND OF THE INVENTION
1. Field of the Invention
The invention relates generally to a secure operating mode of a computer device and, more particularly, to a secure operating mode of a computing device for executing security-critical Internet applications and preventing interception of user-provided information.
2. Description of Related Art
Many categories of Internet based services require a high degree of security. Examples include Internet banking, electronic interaction with government services, and documents or files that are provided with a legally binding digital signature. Typical computing environments may not be secure enough to prevent a user from being exposed to different types of attacks that seek to capture user-provided information and to use the captured information to process fraudulent transactions.
Unscrupulous third parties may capture user-provided information in different ways. In one example, a keylogger program may be installed on the user's computer to capture information entered using a keyboard. The keylogger program may be installed by exploiting operating system vulnerabilities or by deceiving the user to execute malicious software. In another example, the user may be transported to a website where user-provided information may be captured. In a further example, a computer display may be manipulated to deceive the user into signing a fraudulent transaction using a legally-binding digital signature.
Existing operating systems are unable to prevent the capture of confidential information by these types of attacks. Many browsers and Internet security programs warn against visiting websites with invalid security certificates or following phishing links; such warnings, however, are commonly ignored. In addition, existing operating systems may be patched at any level (e.g., bootloader, kernel, drivers, etc.). Accordingly, such warnings may be disabled by malicious software.
It may be difficult to avoid malicious software which could act as a keylogger or modify a user's display. Malicious software is under continuous development, and may be tailored to target a limited set of users in which case the malicious software may not be identified even by up-to-date anti-virus and internet security software. In some cases, a computing system may be infected without the user installing any software, as in the case of browser vulnerabilities which allow remote code execution.
Some existing solutions for preventing third party capture of user-provided information rely on external hardware to achieve a sufficient level of security. In one example, an external smart card reader is connected to the computer to download transaction details. The user may view the transaction details on the reader's display, insert a smart card that contains a private key into the reader, and enter a personal identification number (PIN) in order to sign the transaction. The smart card reader may prevent capture of the PIN and the reader's firmware may not be manipulated by the computer since the reader only downloads transaction data from the computer. In other words, executable instructions are not downloaded to the reader. However, the requirement of an additional smart card reader increases costs and the use of smart cards is inconvenient.
It is important to prevent interception of user-provided information while executing security-critical Internet-related applications on a computing device.
BRIEF SUMMARY OF THE INVENTION
Aspects of the invention provide a user with the ability to select a secure operating mode of a computing device before the operating system of the computing device is booted. Before receiving selection of the secure operating mode, computer hardware is initialized to verify a bootloader of an operating system to guarantee that the bootloader is not patched. Then, in response to receiving selection of the secure operating mode, the bootloader verifies the operating system kernel. The kernel then verifies operating-system level executable files. The files that are verified may be limited to the files to be loaded into memory. After verification, at least some of the verified files are loaded into a portion of the memory that is identified by the kernel as read-only. These files are executed to provide a basic Internet browser session; all other files are identified by the kernel as non-executable. When the user accesses an authorized website and conducts a transaction that requires a user to provide information, such information cannot be accessed by other parties since the information provided is encrypted over the network and is not persisted to the local file system. The information may be stored in memory at the computing device as part of the data related to the browser process. The memory, however, is cleared when the user session ends.
In accordance with one embodiment of the invention, a method of providing a secure operating mode of a computing device is provided. The method comprises verifying the integrity of a bootloader. A user of the computing device is then provided with an option to select a normal operating mode or a secure operating mode. After a selection of the secure operating mode is received, other components of the computing device are verified. In one example, the components that are verified include an operating system kernel file, and operating-system level executable files to be executed in the secure operating mode. The verified files are executed to communicate with a server and conduct a transaction. Information input to the computing device during the transaction is not persisted in a file system of the computing device and cannot be tracked after the user session ends.
In accordance with another embodiment of the invention, a system for providing a secure operating mode of a computing device is provided. The system comprises a storage means and a processor logically coupled to the storage means. The storage means stores a bootloader, an operating system kernel and executable files to enable the computing device to communicate over a network. The processor uses read-only firmware to verify the bootloader. The processor is also operable to receive a selection to operate the computing device in a secure operating mode. The processor is additionally operable to verify the operating system kernel and a set of the files to be executed in the secure operating mode. The processor is further operable to execute at least some of the verified files while communicating over the network and conducting a transaction. Information input to the computing device during the transaction is not persisted in the storage means and cannot be tracked after the user session ends.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates a system in accordance with aspects of the invention.
FIG. 2 illustrates aspects of the system of FIG. 1.
FIGS. 3A-B illustrate a system and method for operating a computing device in a secure mode to prevent interception of user-provided data in accordance with aspects of the invention.
DETAILED DESCRIPTION
The aspects, features and advantages of the invention will be appreciated when considered with reference to the following description of preferred embodiments and accompanying figures. The following description does not limit the invention; rather, the scope of the invention is defined by the appended claims and equivalents.
While certain processes in accordance with aspects of the invention are shown in the figures as occurring in a linear fashion, this is not a requirement unless expressly stated herein. Different processes may be performed in a different order or concurrently.
Aspects of the invention provide systems and methods for providing a user with an option to select a normal operating mode or a secure operating mode of a computing device. Before receiving selection of the secure operating mode, boot firmware verifies a bootloader of an operating system. Then, in response to receiving selection of the secure operating mode, the bootloader verifies the operating system kernel. The kernel then verifies operating-system level executable files (e.g., device drivers). After verification, a limited set of the executable files are loaded into a portion of the memory that is identified by the kernel as read-only memory. These read-only files are executed to provide a basic Internet browser session; all other files are identified as non-executable. When the user accesses an authorized website and conducts a transaction, information provided by the user cannot be accessed by other parties since the information is not persisted on the file system on the computing device.
In some embodiments, the same operating system kernel can be used for both normal and secure modes. In one example, the bootloader (or BIOS) passes a parameter to the kernel to specify whether to boot in normal mode or in secure mode based on user selection. Most modern operating system kernels can accept parameters that specify different modes of operation. Accordingly, it is unnecessary to install two separate operating systems (or different subsets of operating system files, such as different kernels, drivers, etc.)
FIG. 1 presents a schematic diagram of a computer system depicting various computing devices that can be used alone or in a networked configuration in accordance with aspects of the invention. For example, this figure illustrates a computer network 100 having a plurality of computers 102, 104, 106 and 108 as well as other types of devices such as portable electronic devices such as a mobile phone 110 and a PDA 112. Such devices may be interconnected via a local or direct connection 114 and/or may be coupled via a communications network 116 such as a LAN, WAN, the Internet, etc. and which may be wired or wireless.
Each device may include, for example, one or more processing devices and have user inputs such as a keyboard 118 and mouse 120 and/or various other types of input devices such as pen-inputs, joysticks, buttons, touch screens, etc., as well as a display 122, which could include, for instance, a CRT, LCD, plasma screen monitor, TV, projector, etc. Each computer 102, 104, 106 and 108 may be a personal computer, server, etc. By way of example only, computers 102 and 106 may be personal computers while computer 104 may be a server and computer 108 may be a laptop.
As shown in FIG. 2, each computer such as computers 102 and 104 contains a processor 124, memory/storage 126 and other components typically present in a computer. For instance, memory/storage 126 stores information accessible by processor 124, including instructions 128 that may be executed by the processor 124 and data 130 that may be retrieved, manipulated or stored by the processor. The memory/storage 126 may be of any type or any device capable of storing information accessible by the processor, such as a hard-drive, ROM, RAM, CD-ROM, flash memories, write-capable or read-only memories. The processor 124 may comprise any number of well known processors, such as processors from Intel Corporation. Alternatively, the processor may be a dedicated controller for executing operations, such as an ASIC.
The instructions 128 may comprise any set of instructions to be executed directly (such as machine code) or indirectly (such as scripts) by the processor(s). In that regard, the terms “instructions,” “steps” and “programs” may be used interchangeably herein. The instructions may be stored in any computer language or format, such as in object code or modules of source code.
In accordance with aspects of the invention, the instructions 128 on the computer 102 may include a bootloader 132, an operating system kernel 134 and executable files 136. The bootloader 132 loads and executes the operating system kernel 134. The operating system kernel 134 continues startup procedures for the computer 102 by linking application software (e.g., executable files 136) and the computer hardware (e.g., processor 124, display 122, keyboard 118, and mouse 120). The functions, methods and routines of instructions in accordance with the invention are explained in more detail below.
Data 130 may be retrieved, stored or modified by processor 124 in accordance with the instructions 128. The data may be stored as a collection of data.
The data may also be formatted in any computer readable format such as, but not limited to, binary values, ASCII or Unicode. Similarly, the data may include images stored in a variety of formats such as vector-based images or bitmap images using lossless (e.g., PNG) or lossy (e.g., JPEG) encoding. Moreover, the data may include any information sufficient to identify the relevant information, such as descriptive text, proprietary codes, pointers, references to data stored in other memories (including other network locations) or information which is used by a function to calculate the relevant data.
In accordance with aspects of the invention, the data 130 stored on computer 102 may comprise information regarding the minimum set of executable files 136 that are required to provide a user with a basic Internet browser session. The data 130 on computer 104 may also include a list of specific websites 140 that are identified as secure (e.g., an “authorized website list”).
Although the processor 124 and memory 126 are functionally illustrated in FIG. 2 as being within the same block, it will be understood that the processor and memory may actually comprise multiple processors and memories that may or may not be stored within the same physical housing or location. For example, some or all of the instructions and data may be stored on a removable CD-ROM and others within a read-only computer chip. Some or all of the instructions and data may be stored in a location physically remote from, yet still accessible by, the processor. Similarly, the processor may actually comprise a collection of processors which may or may not operate in parallel. Data may be distributed and stored across multiple memories 126 such as hard drives or the like.
In one aspect, server 104 may communicate with one or more client computers 102, 106 and/or 108, as well as devices such as mobile phone 110 and PDA 112. Each client computer or other client device may be configured similarly to the server 104, with a processor, memory and instructions, as well as one or more user input devices 118, 120 and a user output device, such as display 122. Each client computer may be a general purpose computer, intended for use by a person, having all the components normally found in a personal computer such as a central processing unit (“CPU”), display, CD-ROM or DVD drive, hard-drive, mouse, keyboard, touch-sensitive screen, speakers, microphone, modem and/or router (telephone, cable or otherwise) and all of the components used for connecting these elements to one another.
The server 104 and user computers and other devices are capable of direct and indirect communication with other computers, such as over network 116. Although only a few computing devices are depicted in FIGS. 1 and 2, it should be appreciated that a typical system can include a large number of connected servers and clients, with each different computer being at a different node of the network. The network 116, and intervening nodes, may comprise various configurations and protocols including the Internet, intranets, virtual private networks, wide area networks, local networks, private networks using communication protocols proprietary to one or more companies, Ethernet, WiFi, Bluetooth or TCP/IP.
Communication across the network 116, including any intervening nodes, may be facilitated by any device capable of transmitting data to and from other computers, such as modems (e.g., dial-up or cable), network interfaces and wireless interfaces. Server 104 may be a web server. Although certain advantages are obtained when information is transmitted or received as noted above, other aspects of the invention are not limited to any particular manner of transmission of information. For example, in some aspects, the information may be sent via a medium such as a disk, tape, CD-ROM, or directly between two computer systems via a dial-up modem.
Moreover, computers and user devices in accordance with the systems and methods described herein may comprise any device capable of processing instructions and transmitting data to and from other computers, including network computers lacking local storage capability, PDA's with modems such as PDA 112 and Internet-capable wireless phones such as mobile phone 110.
As shown in FIG. 1, the network 100 may also include an authorization entity 142, which may be directly or indirectly coupled to server 104. In an alternative, the authorization entity 140 may be part of or otherwise logically associated with the server 104.
When the computer 102 is first powered on, the computer 102 does not have an operating system stored in ROM or RAM. The bootloader 132 executes a program stored in memory 126 to load the operating system kernel 134. The bootloader 132 also loads the minimum amount of data needed by the kernel 134 to access other portions of memory 126 from which the executable files 136 and data are loaded. Although only one bootloader 132 is shown in FIG. 2, one having ordinary skill in the art would appreciate that multiple stage bootloaders may be used to sequentially load and process several programs to boot the computer 102.
Once loaded, the operating system kernel 134 continues startup procedures for the computer 102. The kernel 134 provides a bridge between application software and the data processing that is performed at the hardware level. The kernel 134 manages system resources by communicating between hardware and software components of the computer.
The authorization entity 140 and the sever 104 may comprise an authorization server. As will be explained in more detail below, the authorization entity 140 is operable to identify specific web sites as secure. This may be accomplished by performing a verification process and maintaining a list of the web sites that are identified as being authorized. In accordance with aspects of the invention, the authorized web sites may be accessed by the computer 102 during a secure operating mode such that any information provided by a user while interacting with an authorized web site cannot be intercepted by third parties.
While the invention is described with reference to accessing web sites from a computing device, one having ordinary skill in the art would appreciate that the invention may be used to provide a secure computing environment when accessing any object over any type of network. For example, a computing device operating in the secure mode may communicate over a network to access any object identified by a uniform resource indicator (URI) or uniform resource locator (URL). Similarly, the computing device operating in the secure mode may access an object from any network location such as from an FTP server or a storage area network (SAN).
In one illustrative example, a user wants to process a security-critical banking transaction, such as a money transfer using a debit account. The user chooses to boot a computing device in the secure operating mode. In the secure operating mode, the bootloader and the kernel are verified and only the executable files that are necessary to provide a basic Internet browsing session are loaded into ROM. Accordingly, the operating system executes on the computing device using a minimum amount of components. The user may then select a bank web site from a list of authorized web sites displayed by the browser (assuming that the bank has already registered with an authorization entity such that the bank web site has already been added to the list of authorized web sites). The web site is then launched, and the user provides confidential information (e.g., username, password, PIN, etc.) in order to successfully login to the web site. The user may then initiate the desired transaction, provide all the necessary details and confirm the transaction. Since the executable files are operating as read-only, the information provided by the user is temporarily stored in volatile memory that is marked as non-executable by the kernel until the user session ends. However, the user data is not written to permanent storage such that the information cannot be accessed by unauthorized parties. The user may then log off from the bank web site and reboot the computing device to begin another browsing session in normal operating mode.
One embodiment of the invention is shown in FIGS. 3A-B where a user may choose to boot a computing device in a secure operating mode to prevent unauthorized parties from intercepting information provided to a web site during a transaction. In particular, FIG. 3A illustrates general aspects of system interaction between a client and a server. And FIG. 3B illustrates a flow diagram showing a computer process for conducting an Internet transaction in a secure operating mode. The actions shown in FIG. 3A will be discussed below with regard to the flow diagram in FIG. 3B.
In particular, operation of a computing device 122 is initiated in response to receiving power. Hardware of the computing device (e.g., system BIOS) executes a program that verifies a bootloader as shown in operation 200. In one embodiment, boot options are provided by the verified and electronically signed bootloader such that the boot options need not be coded in read-only firmware. The verified bootloader causes a prompt 144 to appear on a display 122 of the computing device 102, as shown in operation 202. The prompt 144 provides a user with an option to boot the computing device 102 in a normal operation mode or a secure operation mode.
In the normal operation mode, the computer hardware activates a bootloader to load and execute the operating system kernel of the computing device 102. The kernel initiates startup procedures of the computing device 102 including any executable files required to initialize device procedures. Accordingly, all system drivers, processes, installed browser extensions, etc. are loaded into memory 126, including both ROM and RAM as appropriate. The computing device is thereby enabled to access any available web site.
The user may select to execute the computing device 102 in the secure operating mode in the event that the user intends to conduct a transaction at a web site that may require the user to provide confidential data (e.g., username/password combinations, financial or medical information, documents secured with an electronic signature, etc.). In the secure operating mode, the user is provided with a limited computing environment in which to browse the Internet or other public or private network. As shown in operation 204, the computing device 102 receives the user selection to operate the computing device 102 in a secure mode.
In response to the user selection of the secure operating mode, the computer hardware that is activated at power-up initiates verification of the components that will be loaded to read-only memory during the secure operating mode, as shown in operation 206. The verified bootloader verifies the operating system kernel, which in turn verifies executable files (e.g., device drivers) that are necessary to provide the user with a basic browsing session. The verification process may be performed using known security techniques including the use of a public key to validate the digital signature of each component to be verified.
In one illustrative example, the computer hardware that is activated at power-up executes a verification application to obtain a unique checksum associated with the component to be verified. By way of example only, the verification application may be an applet or executable code which performs a cryptographic process on the component to arrive at the unique checksum. In addition to being unique, the checksum should be cryptographically secure to prevent tampering. Any number of cryptographic algorithms or hashing functions may be used by the verification application to achieve these goals. For instance, the SHA-2 family of hash functions may be employed.
The checksums generated by the verification application may or may not be of fixed length. In an alternative, the verification application may be used on multiple components. Once the checksum has been generated by the verification application, a digital signature such as a user's encryption key is applied to the checksum to “sign” the checksum. The generated checksums may be compared to signed checksums that are attached to each component to be verified. To perform the comparison, the signed checksums may be decrypted using a stored public key (e.g., a key associated with the authorization entity 142). The resulting checksum may then be compared to the checksum generated by the verification application.
After the integrity of all components is verified, as shown in operation 208, a limited set of executable files is loaded into a part of memory 126 that is identified as read-only by the kernel. The loaded executable files constitute the minimum amount required to communicate with a server and provide the user with a basic browsing session to conduct a transaction. Desirably, no third-party system components are loaded in memory 126 (e.g., browser extensions, audio/graphics/chipset drivers, etc.). The remainder of executable files stored in memory 126 is marked as “non-executable” by the kernel.
In operation 210, a visual indicator 146 may be displayed on the display 122 of the computing device 102 to inform the user that the computing device 102 is operating in the secure mode. For example, the visual indicator 146 may be an icon that symbolizes a secure mode (e.g., a lock) or the visual indicator 146 may be text. The computing device 102 is configured such the visual indicator 146 cannot be rendered during the normal operating mode in order to prevent a third party from deceiving the user into believing that he is browsing the Internet in the secure operating mode. For example, a graphics engine may prevent the visual indicator 146 from being displayed during the normal operating mode.
After the computing device 102 is configured to operate in the secure mode, as shown in operation 212, the user may initiate a browser session. In the secure operating mode, the user is only permitted to access web sites that are recognized by the authorization entity as being secure (e.g., websites 148). In one example, the computing device 102 may be configured to operate in the secure mode to access only SSL-enabled web sites, and all browser communication with these websites is SSL-encrypted. In another example, specific web sites or services register with the authorization entity 142 to allow user access in secure mode, and the authorization entity 142 verifies the certificates of the registered web sites or services. A list of the web sites/certificates is signed by the authorization entity 142. Accordingly, the computing device 102 may access the approved web sites or services via the authorization entity 142. In one embodiment, the list of allowed web sites or services can be downloaded from the authorization entity 142 or checked for updates while operating in secure mode. The user may then view the list, search for a specific web site using different criteria (e.g., category, name, region, etc. . . . ), and select a web site to visit.
In one illustrative example, the registration process could be performed by providing the authorization entity 142 with a certificate signed by a trusted third-party. The authorization entity 142 then signs the certificate and includes the signed certificate in a list of secure web sites. In another example, the authorization entity 142 performs manual authorization to verify that the web site requesting registration is owned by the organization it claims to belong to.
The certificates that would be retrieved by a client from the authorization entity 142 should contain sufficient information for the client to be able to locate and access the desired service without relying on any additional step to resolve a service provider's address. For example, it would not be sufficient for the certificate to contain merely the service provider name and the web site domain name, as the client would then still need to query a DNS server for the IP address of the web site. Such an additional step may expose the client to DNS spoofing attacks. Instead, the certificate should include the service provider name, the web site domain and an IP address all signed by the authorization entity 142. In addition, all traffic between the user and the remote service (whether or not HTTP traffic) should be encrypted. Accordingly, the user would not be vulnerable to network sniffing attacks that seek to capture the user's confidential information.
The files that enable the computing device 102 to interact with the web site and conduct the transaction are executed in read-only mode. Accordingly, any information that a user provides to the web site during the transaction is not stored locally on the computing device 102. In other words, the user-provided information is transient data because the data is created within an application session. At the end of the session, the data is discarded without being stored. As a result, information provided by the user cannot be intercepted by any third party because no information is stored on the computing device 102 during the browser session. Accordingly, the user is provided with a secure terminal for security-critical services without exposing the user to security threats that would exist otherwise.
After the user is finished with the transaction, the user may conduct another security-critical transaction at the same web site or at another authorized web site. Alternatively, the user may reboot the computing device 102 to operate in the normal mode, as shown in operation 214, to enable the computing device 102 to access any available web site including web sites that the authorization entity 142 does not recognize as authorized (e.g., websites 150).
Although the invention herein has been described with reference to particular embodiments, it is to be understood that these embodiments are merely illustrative of the principles and applications of the invention. It is therefore to be understood that numerous modifications may be made to the illustrative embodiments and that other arrangements may be devised without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (20)

The invention claimed is:
1. A method of providing a secure operating mode of a computing device, the method comprising:
receiving, by one or more processors, information indicating a selection of the secure operating mode;
after receiving the information, verifying, by the one or more processors, an operating-system level executable file;
executing, by the one or more processors, the verified operating-system level executable file in read-only memory order to conduct a transaction in the secure operating mode;
during the conducting of the transaction, receiving, by the one or more processors, information input to the computing device;
marking, by the one or more processors, the received information input into the computing device as non-executable; and
temporarily storing, by the one or more processors, the marked information in volatile memory of the computing device.
2. The method of claim 1, wherein verifying the operating-system level executable file comprises comparing a characteristic of the executable file with an encrypted security value, and wherein the verified operating-system level executable file is executed based on a result of the comparison.
3. The method of claim 1, wherein conducting the transaction includes communicating with a server computing device, and the method further comprises after verifying the operating-system level executable file, verifying and executing only files that are necessary to communicate with the server computing device and conduct the transaction.
4. The method of claim 1, further comprises not executing files stored in a writable portion of memory of the client while conducting the transaction in the secure operating mode.
5. The method of claim 1, wherein verifying the components of the computing device comprises:
verifying a bootloader file;
using the bootloader file to verify an operating system kernel file; and
using the verified operating system kernel file to verify the operating-system level executable file.
6. The method of claim 1, further comprising providing a visual indicator for display on an output device of the computing device during the secure operating mode to indicate that the computing device is operating in the secure operating mode, and wherein a graphics engine prevents the visual indicator from being displayed during a normal operating mode.
7. The method of claim 1, further comprising accessing a web site that is pre-authorized by a server computing device for secure transactions.
8. The method of claim 1, further comprising not storing the marked information in permanent storage of the client device.
9. A system for providing a secure operating mode of a computing device, the system comprising:
memory configured to store at least one of information and an executable file; and
one or more processors operatively coupled to the memory, the one or more processors configured to:
receive information indicating a selection of the secure operating mode;
after receiving the information, verify an operating-system level executable file;
execute the verified operating-system level executable file in read-only memory order to conduct a transaction in the secure operating mode;
during the conducting of the transaction, receive information input to the computing device;
mark the received information input into the computing device as non-executable; and
temporarily store the marked information in volatile memory of the computing device.
10. The system of claim 9, wherein the one or more processors are configured to verify the operating-system level executable file comprises comparing a characteristic of the executable file with an encrypted security value, and wherein the verified operating-system level executable file is executed based on a result of the comparison.
11. The system of claim 9, wherein the one or more processors are configured to:
conduct the transaction by communicating with a server computing device, and
after verifying the operating-system level executable file, verify and executing only files that are necessary to communicate with the server computing device and conduct the transaction.
12. The system of claim 9, wherein the one or more processors are incorporated into the client device and the one or more processors are further configured to not execute files stored in a writable portion of memory of the client device while conducting the transaction in the secure operating mode.
13. The system of claim 9, wherein the one or more processors are further configured to verify the components of the computing device by:
verifying a bootloader file;
using the bootloader file to verify an operating system kernel file; and
using the verified operating system kernel file to verify the operating-system level executable file.
14. The system of claim 9, wherein the one or more processors are further considered to provide a visual indicator for display on an output device of the computing device during the secure operating mode to indicate that the computing device is operating in the secure operating mode, and the system further comprises a graphics engine configured to prevent the visual indicator from being displayed during a normal operating mode.
15. The system of claim 9, wherein the one or more processors are further considered to access a web site that is pre-authorized by a server computing device for secure transactions.
16. The system of claim 9, wherein the one or more processors are further considered to not storing the marked information in permanent storage.
17. A non-transitory computer-readable storage medium on which computer readable instructions of a program are stored, the instructions, when executed by one or more processors, cause the processor to perform a method of providing a secure operating mode of a computing device, the method comprising:
receiving information indicating a selection of the secure operating mode;
after receiving the information, verifying an operating-system level executable file;
executing the verified operating-system level executable file in read-only memory order to conduct a transaction in the secure operating mode;
during the conducting of the transaction, receiving information input to the computing device;
marking the received information input into the computing device as non-executable; and
temporarily storing the marked information in volatile memory of the computing device.
18. The medium of claim 17, wherein the method includes not executing files stored in a writable portion of memory of the client device while conducting the transaction in the secure operating mode.
19. The medium of claim 17, wherein the method further comprises accessing a web site that is pre-authorized by a server computing device for secure transactions.
20. The medium of claim 17, wherein the method further comprises not storing the marked information in permanent storage of the client device.
US14/190,634 2010-06-30 2014-02-26 System and method for operating a computing device in a secure mode Active US9081985B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/190,634 US9081985B1 (en) 2010-06-30 2014-02-26 System and method for operating a computing device in a secure mode

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/827,330 US8700895B1 (en) 2010-06-30 2010-06-30 System and method for operating a computing device in a secure mode
US14/190,634 US9081985B1 (en) 2010-06-30 2014-02-26 System and method for operating a computing device in a secure mode

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US12/827,330 Continuation US8700895B1 (en) 2010-06-30 2010-06-30 System and method for operating a computing device in a secure mode

Publications (1)

Publication Number Publication Date
US9081985B1 true US9081985B1 (en) 2015-07-14

Family

ID=50441601

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/827,330 Active 2032-02-22 US8700895B1 (en) 2010-06-30 2010-06-30 System and method for operating a computing device in a secure mode
US14/190,634 Active US9081985B1 (en) 2010-06-30 2014-02-26 System and method for operating a computing device in a secure mode

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US12/827,330 Active 2032-02-22 US8700895B1 (en) 2010-06-30 2010-06-30 System and method for operating a computing device in a secure mode

Country Status (1)

Country Link
US (2) US8700895B1 (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9378499B2 (en) 2012-06-12 2016-06-28 Square, Inc. Software PIN entry
WO2014085605A2 (en) * 2012-11-28 2014-06-05 Intrepid Networks, Llc Integrated systems and methods providing situational awareness of operations in an organization
US9613356B2 (en) 2013-09-30 2017-04-04 Square, Inc. Secure passcode entry user interface
US9928501B1 (en) 2013-10-09 2018-03-27 Square, Inc. Secure passcode entry docking station
CN115062291A (en) 2015-08-21 2022-09-16 密码研究公司 Method, system, and computer readable medium for managing containers
US10078748B2 (en) * 2015-11-13 2018-09-18 Microsoft Technology Licensing, Llc Unlock and recovery for encrypted devices
GB2546304B (en) * 2016-01-14 2020-04-08 Avecto Ltd Computer device and method for controlling access to a web resource
CN105809440B (en) * 2016-03-29 2020-09-11 北京小米移动软件有限公司 Online payment method and device
US10664599B2 (en) 2017-05-01 2020-05-26 International Business Machines Corporation Portable executable and non-portable executable boot file security
US20200104476A1 (en) * 2018-09-28 2020-04-02 Kromtech Alliance Corp. Method for protecting a camera and a microphone from unauthorized access
US11921859B2 (en) * 2021-11-04 2024-03-05 Dell Products L.P. System and method for managing device security during startup
CN115629824B (en) * 2022-12-01 2023-08-15 摩尔线程智能科技(北京)有限责任公司 GPU starting method, device, equipment, storage medium and program product

Citations (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6192477B1 (en) * 1999-02-02 2001-02-20 Dagg Llc Methods, software, and apparatus for secure communication over a computer network
US20020016913A1 (en) 2000-08-04 2002-02-07 Wheeler Lynn Henry Modifying message data and generating random number digital signature within computer chip
US20050119978A1 (en) 2002-02-28 2005-06-02 Fikret Ates Authentication arrangement and method for use with financial transactions
US6961759B2 (en) * 2001-09-24 2005-11-01 International Business Machines Corporation Method and system for remotely managing persistent state data
US20060015717A1 (en) 2004-07-15 2006-01-19 Sony Corporation And Sony Electronics, Inc. Establishing a trusted platform in a digital processing system
US20060090084A1 (en) * 2004-10-22 2006-04-27 Mark Buer Secure processing environment
US7072869B2 (en) 1999-11-05 2006-07-04 Microsoft Corporation Integrated circuit card with situation dependent identity authentication
US20060161435A1 (en) 2004-12-07 2006-07-20 Farsheed Atef System and method for identity verification and management
US7117369B1 (en) 1999-05-03 2006-10-03 Microsoft Corporation Portable smart card secured memory system for porting user profiles and documents
US20060242423A1 (en) 2005-04-22 2006-10-26 Kussmaul John W Isolated authentication device and associated methods
US7130951B1 (en) * 2002-04-18 2006-10-31 Advanced Micro Devices, Inc. Method for selectively disabling interrupts on a secure execution mode-capable processor
WO2006120365A1 (en) 2004-05-10 2006-11-16 Hani Girgis Secure transactions using a personal computer
US20070005492A1 (en) 2003-05-20 2007-01-04 Min-Suh Kim Electronic settlement method by conditional trade
US20070088950A1 (en) 1998-11-09 2007-04-19 First Data Corporation Account-based digital signature (abds) system using biometrics
US20070219926A1 (en) 2006-10-18 2007-09-20 Stanley Korn Secure method and system of identity authentication
US7315830B1 (en) 2000-08-11 2008-01-01 Nexus Company, Ltd. Method, system and computer program product for ordering merchandise in a global computer network environment
US20080005560A1 (en) 2006-06-29 2008-01-03 Microsoft Corporation Independent Computation Environment and Provisioning of Computing Device Functionality
WO2008067124A2 (en) 2006-11-17 2008-06-05 Hewlett-Packard Development Company, L.P. Apparatus, and associated method, for providing secure data entry of confidential information
US7424398B2 (en) 2006-06-22 2008-09-09 Lexmark International, Inc. Boot validation system and method
US20090119194A1 (en) 2007-11-01 2009-05-07 American Express Travel Related Services Company, Inc. System and method for facilitating a secured financial transaction using an alternate shipping address
US7571484B2 (en) * 2003-12-04 2009-08-04 Microsoft Corporation System and method for image authentication of a resource-sparing operating system
US20090282247A1 (en) 2004-08-17 2009-11-12 Research In Motion Limited Method, system and device for authenticating a user
US20100088237A1 (en) 2008-10-04 2010-04-08 Wankmueller John R Methods and systems for using physical payment cards in secure e-commerce transactions
US7831838B2 (en) * 2004-03-05 2010-11-09 Microsoft Corporation Portion-level in-memory module authentication
US7844551B1 (en) 2003-10-02 2010-11-30 Patent Investments of Texas, LLC Secure, anonymous authentication for electronic purchasing with dynamic determination of payment pricing and terms and cross vendor transaction resolution
US20110004721A1 (en) 2009-07-02 2011-01-06 STMicroelectronics (Research & Development)Limited Loading secure code into a memory
US20110231332A1 (en) 2010-03-22 2011-09-22 Bank Of America Corporation Systems and methods for authenticating a user for accessing account information using a web-enabled device
US8108318B2 (en) 2008-06-06 2012-01-31 Ebay Inc. Trusted service manager (TSM) architectures and methods
US8171295B2 (en) 2003-12-02 2012-05-01 International Business Machines Corporation Information processing apparatus, a server apparatus, a method of an information processing apparatus, a method of a server apparatus, and an apparatus executable process
US8181020B2 (en) * 2005-02-02 2012-05-15 Insyde Software Corp. System and method for securely storing firmware
US8312523B2 (en) 2006-03-31 2012-11-13 Amazon Technologies, Inc. Enhanced security for electronic communications

Patent Citations (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070088950A1 (en) 1998-11-09 2007-04-19 First Data Corporation Account-based digital signature (abds) system using biometrics
US6192477B1 (en) * 1999-02-02 2001-02-20 Dagg Llc Methods, software, and apparatus for secure communication over a computer network
US7117369B1 (en) 1999-05-03 2006-10-03 Microsoft Corporation Portable smart card secured memory system for porting user profiles and documents
US7072869B2 (en) 1999-11-05 2006-07-04 Microsoft Corporation Integrated circuit card with situation dependent identity authentication
US20020016913A1 (en) 2000-08-04 2002-02-07 Wheeler Lynn Henry Modifying message data and generating random number digital signature within computer chip
US7315830B1 (en) 2000-08-11 2008-01-01 Nexus Company, Ltd. Method, system and computer program product for ordering merchandise in a global computer network environment
US6961759B2 (en) * 2001-09-24 2005-11-01 International Business Machines Corporation Method and system for remotely managing persistent state data
US20050119978A1 (en) 2002-02-28 2005-06-02 Fikret Ates Authentication arrangement and method for use with financial transactions
US7130951B1 (en) * 2002-04-18 2006-10-31 Advanced Micro Devices, Inc. Method for selectively disabling interrupts on a secure execution mode-capable processor
US20070005492A1 (en) 2003-05-20 2007-01-04 Min-Suh Kim Electronic settlement method by conditional trade
US7844551B1 (en) 2003-10-02 2010-11-30 Patent Investments of Texas, LLC Secure, anonymous authentication for electronic purchasing with dynamic determination of payment pricing and terms and cross vendor transaction resolution
US8171295B2 (en) 2003-12-02 2012-05-01 International Business Machines Corporation Information processing apparatus, a server apparatus, a method of an information processing apparatus, a method of a server apparatus, and an apparatus executable process
US7571484B2 (en) * 2003-12-04 2009-08-04 Microsoft Corporation System and method for image authentication of a resource-sparing operating system
US7831838B2 (en) * 2004-03-05 2010-11-09 Microsoft Corporation Portion-level in-memory module authentication
WO2006120365A1 (en) 2004-05-10 2006-11-16 Hani Girgis Secure transactions using a personal computer
US7716494B2 (en) 2004-07-15 2010-05-11 Sony Corporation Establishing a trusted platform in a digital processing system
US20060015717A1 (en) 2004-07-15 2006-01-19 Sony Corporation And Sony Electronics, Inc. Establishing a trusted platform in a digital processing system
US20090282247A1 (en) 2004-08-17 2009-11-12 Research In Motion Limited Method, system and device for authenticating a user
US20060090084A1 (en) * 2004-10-22 2006-04-27 Mark Buer Secure processing environment
US20060161435A1 (en) 2004-12-07 2006-07-20 Farsheed Atef System and method for identity verification and management
US8181020B2 (en) * 2005-02-02 2012-05-15 Insyde Software Corp. System and method for securely storing firmware
US20060242423A1 (en) 2005-04-22 2006-10-26 Kussmaul John W Isolated authentication device and associated methods
US8312523B2 (en) 2006-03-31 2012-11-13 Amazon Technologies, Inc. Enhanced security for electronic communications
US7424398B2 (en) 2006-06-22 2008-09-09 Lexmark International, Inc. Boot validation system and method
US20080005560A1 (en) 2006-06-29 2008-01-03 Microsoft Corporation Independent Computation Environment and Provisioning of Computing Device Functionality
US20070219926A1 (en) 2006-10-18 2007-09-20 Stanley Korn Secure method and system of identity authentication
WO2008067124A2 (en) 2006-11-17 2008-06-05 Hewlett-Packard Development Company, L.P. Apparatus, and associated method, for providing secure data entry of confidential information
US20090119194A1 (en) 2007-11-01 2009-05-07 American Express Travel Related Services Company, Inc. System and method for facilitating a secured financial transaction using an alternate shipping address
US8108318B2 (en) 2008-06-06 2012-01-31 Ebay Inc. Trusted service manager (TSM) architectures and methods
US20100088237A1 (en) 2008-10-04 2010-04-08 Wankmueller John R Methods and systems for using physical payment cards in secure e-commerce transactions
US20110004721A1 (en) 2009-07-02 2011-01-06 STMicroelectronics (Research & Development)Limited Loading secure code into a memory
US20110231332A1 (en) 2010-03-22 2011-09-22 Bank Of America Corporation Systems and methods for authenticating a user for accessing account information using a web-enabled device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Arbaugh et al. "A secure and reliable bootstrap architecture", Security and Privacy, 1997, Proceedings, 1997 IEEE Symposium, 1997, pp. 65-71. *
Arbaugh, William A.; Farber, D.J.; Smith, Jonathan M., "A Secure and Reliable Bootstrap Architecture." Security and Privacy, 1997, Proceedings., 1997 IEEE Symposium on. 1997, pp. 65-71 [retrieved on Mar. 6, 2013 from IEEE database].
Gookwon Edward Suh (AEGIS: A Single-Chip Secure Processor, 2005).

Also Published As

Publication number Publication date
US8700895B1 (en) 2014-04-15

Similar Documents

Publication Publication Date Title
US9081985B1 (en) System and method for operating a computing device in a secure mode
US9118666B2 (en) Computing device integrity verification
US7971059B2 (en) Secure channel for image transmission
KR101497742B1 (en) System and method for authentication, data transfer, and protection against phising
US9871821B2 (en) Securely operating a process using user-specific and device-specific security constraints
US8789037B2 (en) Compatible trust in a computing device
US8095799B2 (en) Ticket authorized secure installation and boot
US8850526B2 (en) Online protection of information and resources
US11140150B2 (en) System and method for secure online authentication
US10839383B2 (en) System and method for providing transaction verification
CN112257086B (en) User privacy data protection method and electronic equipment
JP2004265286A (en) Management of mobile device according to security policy selected in dependence on environment
US11886716B2 (en) System and method to secure a computer system by selective control of write access to a data storage medium
KR20200000576A (en) A Method For Detecting Counterfeit application in Mobile Device Based On Blockchain
Maruyama et al. Linux with TCPA integrity measurement
Guan et al. Mobile Browser as a Second Factor for Web Authentication
Wang et al. A trusted mobile payment environment based on trusted computing and virtualization technology
EP3261009A1 (en) System and method for secure online authentication
JP2019129385A (en) Information processing unit, authentication server, authentication control method and authentication control program

Legal Events

Date Code Title Description
AS Assignment

Owner name: GOOGLE INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NAGUIB, NAYER;REEL/FRAME:032321/0525

Effective date: 20100630

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: GOOGLE LLC, CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:GOOGLE INC.;REEL/FRAME:044334/0466

Effective date: 20170929

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8